I’ve been attempting to get email notifications set up using a local Postfix server I set up a while ago. The server is pretty standard and works on everything else, but Duplicati isn’t able to verify the server certificate when connecting using SSL or STARTTLS. I use a certificate issued by my internal CA, and I’ve imported the root into the /etc/ssl/certs/
directory, as well as into the certmgr
Trust store. I’ve also manually imported the server certificate into the AddressBook store to try to trust it directly. Unlike some of the other threads I’ve seen with similar issues, my Duplicati is running in a TrueNAS (FreeBSD) jail, rather than on a Linux system, and I’m using a private server and privately signed certificate rather than a public relay like Gmail with a publicly trusted cert, so most of the specific suggestions don’t work. The error when I try to run a send-mail
is the following:
Whole SMTP communication: Connected to smtp://<hostname>:587/?starttls=always
S: 220 <hostname> ESMTP Postfix (Debian/GNU)
C: EHLO [<ip>]
S: 250-<hostname>
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-ETRN
S: 250-STARTTLS
S: 250-AUTH PLAIN LOGIN
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250-DSN
S: 250-SMTPUTF8
S: 250 CHUNKING
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
Failed to send message: MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.
The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons:
1. The server is using a self-signed certificate which cannot be verified.
2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate.
3. The certificate presented by the server is expired or invalid.
See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#InvalidSslCertificate for possible solutions.
--> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception.
--> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /wrkdirs/usr/ports/lang/mono/work/mono-5.10.1.57/external/boringssl/ssl/handshake_client.c:1132
=> An error occurred while attempting to establish an SSL or TLS connection.
The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons:
1. The server is using a self-signed certificate which cannot be verified.
2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate.
3. The certificate presented by the server is expired or invalid.
See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#InvalidSslCertificate for possible solutions.
Return code: 0
I’ve even gone as far as using openssl s_client
to manually connect, and it properly trusts the certificate and can connect, but Mono and Duplicati aren’t playing as nice with it.
EDIT: Adding the configuration options:
--send-mail-from=Source <source@example.com>
--send-mail-to=Destination <destination@example.com>
--send-mail-url=smtp://<hostname>:587/?starttls=always
--send-mail-username=<username>
--send-mail-password=<password>